Joel Roth-Nater <[EMAIL PROTECTED]> writes:
> My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID
> through mod_webapp to Tomcat. Tomcat could then use it to track its
> sessions without cookies or URL-rewriting. Before I start writing the
> code myself, I wonder if anyone has tried to do it.
If you're going to do this you're going to have to be prepared for
the case where a client reconnects but doesn't resume a previous
session. There's no guarantee in SSL that merely because a C/S
pair have communicated previously (Even recently) that they will
resume that previous session. Clients and servers can flush the
session cache at any time.
Session IDs aren't really a complete substitute for cookies.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
